Cybersecurity getting attention of companies, too

Cybersecurity is not just moving up the agenda for investors and their managers: companies also are increasingly viewing it as a business and operational risk.

"On the (governance) front, cybersecurity has become a key risk that senior management and boards are paying close attention to," said Maykala Hariharan, Singapore-based senior consultant at Mercer Sentinel. She said it is no longer viewed as simply a technology-related risk but as a business risk, "as cyberattacks can have significant financial implications on a company's bottom line. This is particularly true of financial services companies, where large volumes of data are being stored at the firms and also at external service providers such as custodians" or brokers, she said.

A number of elements are helping to focus company executives' minds on the topic. "The impact on a portfolio (or) company can be multi-fold – loss of investor assets, reputational damage, litigation from investors and regulatory sanctions," said Ms. Hariharan.

Regulation is upping the ante for businesses. "Regulators are also increasing their focus in this area – within the financial sector, we count 52 controversies that actively affect the rating of almost 40 companies, more than half of which are banks," said Gaia Mazzucchelli, London-based research analyst at MSCI ESG Research.

She said that while penalties related to cyberrisks tend to be minimal compared to other fines in the financial sector, such as those related to business ethics, "the evolution of regulations, the severity and the increase of the frequency of those controversies suggest that the amount of those cyber-related fines can rapidly increase in the future."

Felipe Gordillo, senior ESG analyst at BNP Paribas Asset Management in Paris, said increasing regulatory pressure in Europe comes in the shape of the General Data Protection Regulation, which comes into force in the European Union in 2018. Organizations in breach of the new rules can be fined up to 4% of annual global turnover or €20 million — whichever is greater. "There is a material regulatory impact for companies," said Mr. Gordillo, speaking on a panel at the Principles for Responsible Investment's annual PRI In Person conference, held in Berlin Sept. 25 to 27.

Cyber-related regulation is in effect around the world. This year the Australian Senate passed The Privacy Amendment (Notifiable Data Breaches) Act 2017, which mandates any company that falls under the country's Privacy Act to inform the Australian Information Commissioner and the public if their data has been compromised.

Also this year China rolled out its cybersecurity law, said Ms. Hariharan. The law is the first of its kind nationally, with legal principles for data privacy and significant finanical penalties for breaches.

Penalties can run up to 1 million renminbi ($153,000) and individuals directly in charge can also be fined, said Ms. Hariharan.

And Singapore's cybersecurity act is set to be enacted this year, to "pre-emptively secure IT infrastructure and ensure reporting of incidents," added Ms. Hariharan.